Design And Implementation Of Identification & Authentication And Access Control In Secure Operating System

Referring to related security criterias of computer system, we designed and realized Ercist 4.0 secure operating system. The system, which is a B2 level secure operating system, is based on the source code of Linux. Ercist 4.0 secure operating system uses a new model of securiy policy, which combines RBAC, DTE and MAC together and makes access control more flexible. We introduce the design and implementation of identification and authentication mechanism and access control mechanism in this thesis.Identification and authentication are critical technologies in operating systems. Identification is to identify who the user is; Authentication is to authenticate whether the user is the person who he claims he is. Identification and authentication is the foundation to realize the security mechanisms of operating system itself. And the security of the identification and authentication is also important to ensure the security of the whole operating system. To support the new security mechanisms of the secure operating system, we describe the design and realization of the extended identification and authentication mechanism in Ercist 4.0 secure operating system in this thesis. After extension, new security properties of users are added to the identification and authentication system in order to support RBAC, DTE and MAC in the secure operating system. Besides, to enforce the security of authentication process, in this thesis we propose the design and implementation of a passwd checker and mandatary identification and authentication mechanism in Ercist 4.0 secure operating system. Access control is a very important part of the security of operating system. Access control is to control the access of objects by the identity of theuser, which is based on the identification and authentication mechanism. We introduce the design and implementation of the multiple policies access control model of Ercist 4.0 secure operating system in this thesis. We can choose to use only one access control mechanism or several access control mechanisms at the same time in the secure operating system.During the process of the design and the development of Ercist 4.0 secure operating system, we found that RBAC can reduce the complexity of the management of access control, but it's still rather difficult to assign permissions to roles efficiently and reasonably, further more, RBAC is not fit to manage the access controls where exists dependency and sequence. In this thesis we try to solve the two difficulties mentioned above by embedding task mechanism in RBAC, that is, permissions are assigned to tasks, tasks are assigned to roles, and a role can only use the permissions that areallowed by the tasks it's executing. A model called TBPM-RBAC is proposed, then we present the definitions of the model, analyze the model and give two application examples of the model.